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Introduction and context 



§g Adobe Flex 

• Framework for building Rich-Internet-Applications based 
on Adobe Flash 

§§ ActionScript 

• ActionScript is an object-oriented programming language 
commonly used within Adobe Flash applications 

§§ Action Message Format (AMF) 

• Introduced with Flash Player 6 

• Compact binary format to serialize ActionScript objects 

• Fast data transfer, comparing to text-based protocols 

• An efficient mechanism to: 

• Save and retrieve application resources 

• Exchange strongly typed data between client-server 


AMF for end-users 
































AMF for old-school hackers 
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AMF for web hackers 


Burp Intruder Repeater Window About 

Target [ Proxy ] Spider [ Scanner [ Intruder Repeater ] Sequencer | Decoder | Comparer [ Options t Alerts 


Intercept [ Options ] History 


Filter: Hiding CSS. image and general binary content 

$ 

a Host 

Method 

URL 

Params 

Mod died 

Status 

Length 

MIME type 

Ext 


1 

hap 7/127.0.0.1 8400 

GET 

/ds-console/ 


~n~ 

304 

123 


| 

* 

2 

http//127.00.1 8400 

GET 

/ds-console/history/history.] t 

□ 

□ 

304 

124 

script 

i* 

7\ 

3 

hap 7/127.0.0.1 8400 

GET 

/d s-console / swfobject] s 

□ 

□ 

304 

124 

script 

i* 
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http://12 7.0.0.1:8400 

GET 

/ds-console /console. swf 



304 

12S 

flash 

swl 

J 
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hap://www. adobe .com 

GET 

/images/shared/download_bunons/g... 



301 

672 

HTML 

gif 
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127.0 0.1 8400 

POST 

/ds-console/messagebroker/amf 


□ 

200 

393 

AMF 
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l«p://127.0.0.1 8400 

POST 

/ds-console/message broker/a ml 

mCm 

mmnm 

200 

40809 

Ml 



10 

hnp 7/127.0.0.1 8400 

POST 

/ds-console/messagebroker/amf 

□ 


200 

919 




11 

hap 7/127.0.0.1 8400 

POST 

/ds-console/messagebroker/amf 

u 

U 

200 

71S65 




12 

hap 7/127.0.0.1 8400 

POST 

/ds-console/messagebroker/amf 

□ 

□ 

200 

1730 




13 

hap 7/127.0.0.1 8400 

POST 

/ds-console/messagebroker/amf 

□ 

□ 

200 

457 




14 

hap://12 7.0.0.1:8400 

POST 

/ds-console/messagebroker/amf 



200 

1766 




IS 

hap://12 7.0.0.1 8400 

POST 

/ds-console/messagebroker/amf 



200 

664 




16 

hap7/127.0.0.1 8400 

POST 

/ds-console/messagebroker/amf 

□ 

U 

200 

470 

AMF 
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18 

hap://127.0.0.1 8400 

GET 

/ds-console/ 



304 

123 
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Request ] Response | 


Raw | Params j Headers | Hex | AMT [ 



Type 

Value 

* ^ body 



a target 

string 

null 

a response 

string 

n 

a response method 

string 

nuM 

▼ [] data 

array 


* b4[0) 

RemotmgMessage 


Source 

null 


[1 Body 

array 


a Operation 

string 

getFlexMBeanObjectNames 

RemoteUsername 

null 


RemotePassword 

null 


1 Timestamp 

number 



map 


a DSJd 

string 

C4BFFODF-3F18-CF9B-C992-1EDES935823F 

a OSEnd point 

string 

amf 

1 TimeToL/ve 

number 

0 

a Destination 

string 

Runtime Management 

Clientld 

null 


a Messaged 

string 

23A4CAC9-A1A5-A30E-A612-6E147317E42D 










































AMFvO versus A 


§§ Flash Player 6 

§§ Object instances can 
be sent by reference 

8§ Support for 
ActionScript 1.0 


§g Flash Player 9 

8§ Object instances, traits 
and strings can be sent 
by reference 

8§ Support for new 
ActionScript 3.0 data 
types 

§§ Support for 

flash.utils.IExternalizable 

§§ Variable length 

encoding scheme for 
integers 


Adobe BlazeDS 



§§ Server-side Java Remoting/Messaging technology 

§§ Using Flex Remoting, any Flex client or AIR 
application can communicate with remote 
services and inter-exchange data 

9§ In practice, clients invoke Java methods from 
classes deployed within a traditional J2EE 
application server (e.g. Apache Tomcat) 

§§ A widely deployed implementation 

9§ Multiple alternatives exist: 

• Java: Adobe LiveCycle Data Service, Granite, ... 

• Others: RubyAMF, FluorineFX, amfPHP, ... 




Action Message Format (AMF) 



§§ AMF request/response types: 

• Co mm and Message 

• RemotingMessage 

• AcknowledgeMessage 

• ErrorMessage 

• HTTPMessage / SOAPMessage 


§§ Client-Server communication through channels: 


• Endpoint 

• e.g. http://o/messagebroker/amf 

• Destination Service 

• e.g. echoService 

• Operation 

• e.g. String echo(String input) 


Client 


Channel 
0 ) 


BlazeDS 


Endpoint 






State of art (research, tools) 



§§ Testing Flash Applications, OWASP AppSec 2007 

• Stefano di Paola 

Flex, AMF3 And Blazeds - An Assessment, Blackhat USA 2008 

• Jacob Karlson and Kevin Stadmeyer 

§§ Deblaze, Defcon 17 

• Jon Rose 

• Deblaze: remote method enumeration tool for Flex servers 

§§ Pentesting Adobe Flex Applications, OWASP NY 2010 

• Marcin Wielgoszewski 

• Blazentoo: a tool to exploit proxy services 

§§ Starting from Burp Suite 1.2.124 

• Allows to visualize and tamper AMF requests and responses 

Other debugging tools 

• Charles Proxy, WebScarab, Pinta AIR app, ... 



Testing remote methods, today 


§§ Traffic inspection and tampering 

• Using network packet analyzers 

• Using HTTP proxies 


3§ Enumeration (black-box testing) 

• Retrieving endpoints, destinations and operations from the traffic 

• Decompiling the Flex application 

• Brute-forcing endpoint, destination and operation names 




Life is pain, highness 

Anyone who tells you 
differently is selling 
something 


W. Goldman 


Is this the best we can do? 


PRO 



CONS 



96 Ideal for black-box 9§ Time consuming 

testing, limited §§ Requires to invoke all 

knowledge required application functionalities 


96 What about custom 
objects? 

96 What about "hidden" 
services? 


96 How to ensure coverage? 



Enterprise-grade applications 



96 Large attack surface 

§§ Custom externalizable classes 

96 We have seen applications with more than 
500 remote invokable methods and more 
than 600 custom Java objects 



Request Response 


Raw 


Params 


Headers 


Hex 


POST /samples/messagebroker/amf HTTP/1.1 
Host: 127.0.0.1:8400 

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Fi 
Accept: text/html,application/xhtml+xml,application/xml;q»0.9,*/*;q«0.8 
Accept-Language: en-us,en;q*0.5 
Accept-Encoding: gzip, deflate 
Proxy-Connection: keep-alive 

Cookie: JSESSIONID-ABD7C9C82A4A1CAD961SC63CS9580110 

Refcrcr : bttpt 127.0.0.1:8400/samples/inventory/inventory .swf / [ (DYNAMIC) ]/6 
Content-type: application/x-amf 
Content-Length: 466 


null /4s 


body clientld heade 


A Oflex.messaging.messages.RemotingMessage source operation 
update 

s9flex.samples.product.Product price productld category description qtylnstock image 
Italy; merlotopg Wine ID4D74179-370A-21E5-AD9C-24FB6A2889B8 

DSEndpoint my-amf DSId ID4D7373D-9619-76FB-IC1F-87D8A45EA531I0647C66C-9265- 


CEE 




























Security Testing Areas 


8§ Authentication 

• Missing authentication 

• Authentication bypass flaws 
• • • 

§g Authorization and Access Control 

• Direct object reference bugs 

• Horizontal and vertical escalation bugs 
• • • 

§§ Error Handling 

• Information disclosure via stack traces 
• • • • 

9§ Input Validation 

• SQL Injection vulnerabilities 


9§ Output Encoding 
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§§ Custom AMF message generator with 
fuzzing capabilities 

9§ Method signatures and Java reflection are 
used to generate dynamically valid objects 


Blazer - AMF Testing Made Easy 


«J P Q P 



J Remote Method Signature* j 


\£ 

0 

W 


‘k 


id Type Name 

0 Class censusEnrtryVO 

1 Class censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusEntryVO 

ass censusSenrice 

ass connectonHelper 
ass connectonHelper 
ass company 

ass company 


Parameters 


2 C 

3 C 

4 C 

5 C 

6 C 

7 C 

8 C 

9 C 

10 C 

11 C 

12 C 

14 C 

15 C 

16 C 

17 C 

18 C 


int 


int 


Method 
getld 
setid 
getAge 
setAge 
getClassOfWor 

setClassOfWor java lang String 

getEducation 

setEducation java lang String 

getMantalStatus 

setMantalStatus java lang String 
getRace 


Annotations 


setRace 
getSex _ 

getElements 

getConnecDon 

dose 

getAddress 

setAddress 


Q ^Remotmglncludt only 
LJ Interfaces only 


java lang String 

int int 

Java sql Conne 
java lang Stnng 

Select AJI 


* • 


Deselect AH 

















§§ GUI-based Burp Suite plugin 

• Well-integrated so you won't need to leave your favorite tool 

• Burp Free and Pro 

• With Nimbus look'n'feel too 



§§ GNU GPL software 



Dafydd Stuttard 


^0 Follow 


@ _ikki Pro version 1.4.08 is out now. 

Beware Nimbus - she’s a cruel mistress 

Reply Retwee? If Favorite 


V 


3§ Start Burp with 


• java -classpath burp.jar:Blazer_v0.2.jar burp.StartBurp 

and launch Blazer from the context menu 



























Blazer - Architecture 1/2 


96 A packet generator 

• based on Adobe AMF OpenSource libraries 

96 An object generator 

• to build valid application objects using "best-fit" heuristics 

96 A lightweight fuzzing infrastructure 

• to generate attack vectors, insert payloads within objects, 
manage multiple threads and monitor the progress 


96 Blazer's core classes are: 

• com.mtso.blazer.ObjectGenerator 

• com.mtso.blazer. MessageGenerator 

• com.mtso.blazer.TaskManager 

• com. mtso. blazer. MessageTask 


Blazer - Architecture 2/2 



§§ By default. Blazer uses Burp Proxy to record 
requests and responses 

• so that you can benefit from all Burp's built-in tools available 


I^J 

Filter by request type 

Filter by MIME type 

Filter by status code 


(_J Show only in-scope items 

0 HTML 

0 Other text 

0 2xx [success) 


Q Hide items without responses 

0 Script 

i_j Images 

0 3xx [redirection] 


Q Show only parameterized requests 

0 XML 

0 Flash 

0 4xx (request error] 



□ CSS 

□ Other binary 

0 5xx [server error] 


Filter by search term Filter by file extension Filter by annotation 


LI Regex 

□ Case sensitive Q Negative search 


LJ Show only: asp.aspx.jsp.php 
Q Hide: js,gif.jpg,png,css 


Lj Show only commented items 
(_J Show only highlighted items 


Show all Hide all | 

§§ Users can configure their custom proxy: 

• Another instance of Burp to avoid a "collapse" during fuzzing 

• A better tool for displaying AMF messages 







DEMO 1 



96 General usage 

1. Application Libraries 

2. Remote Method Signatures 

3. General Options and Data Pools 

4. Status 

5. (Optional) BeanShell 

96 Objects generation 
96 Manual testing using BeanShell 

$ MessageGenerator myGen = new 

MessageGenerator("127.0.0.1","8080", ENDPOINT ,""); 

$ MessageSkeleton message = new MessageSkeleton (SERVICE , OPERATION); 
$ message.addPar ("BH") ; 

$ myGen.send(message); 



DEMO 2 



§§ Finding vulnerabilities with Blazer 

• Test case: Discover unauthenticated and exposed 
operations 


Blazer - Core techniques 1/3 



96 Objects generation 

• Java reflection 

• "Best-fit" heuristics 

• Randomness and permutations 


myApp 


_ User 

int: userlD 
myApp.Role: Role 

getUser() 

getRole() 

disable() 

enableQ _ 


1 * 


_ Role 

String: roleName 
intfl: privsQ 

getPrivs() 
addPriv(int) 















Blazer - Core techniques 2/3 



96 Data Pools 

• Containers for "good" user-supplied input 

• Allow to instantiate objects and invoke methods with 
semantically valid data 

• Available for all primitive types and String 

• Require to be customized for the target 

96 Attack vectors 

• Relevant for String objects only 

• Attack vector's probability allows to unbalance the Stri 
data pool with attack vectors 


Blazer - Core techniques 3/3 


v Attack vector 

v Destination (classes) 
v Operation (methods) 

while (numPerm < maxPerm){ 
generateObject(signature) 
sendObjectO; 

} 


Data Pools 




I 

I 

I 

I 


Thread 



Object generate(String signature)! 

if (int){ 

getlntFromPoolO; 

} else if (java.lang.String ){ 
getStringFromPoolO; 

} 

... else { 

//Build the obj 

obj = fc.newInstanceO; 

//Populate obj using internal methods 
//Call recursively generate(newSign) 

}} 

















Test case: SQL injection 



public List getProductsByHash(HashMap paramHashMap) 
throws DAOException 

{ 

String str = (String)paramHashMap.get("key"); 

ArrayList localArrayList = new ArrayList(); 

Connection localConnection = null; 
try 

{ 

localConnection = ConnectionHelper.getConnection(); 

PreparedStatement localPreparedStatement = 
localConnection.preparestatement("SELECT * FROM product WHERE UPPER( "+str+" )"); 


Blazer - "Best-fit" heuristics 1/2 



9§ For example, let's build a HashMap 

//Generation only 

ObjectGenerator tCObj = new ObjectGenerator(task, null); 
tCObj.generate("java.util.HashMap"); 






HashMap (int initialCapacity , float loadFactorj 


Constructor Summary 


HashMap () 


Constructs an empty HashMap with the default initial capacity (16) and the default load factor (0.75). 




HashMap (int initialCapacity) 

Constructs an empty HashMap with the specified initial capacity and the default load factor (0.75). 


Constructs an empty HashMap with the specified initial capacity and load factor. 


HashMap ( Map m) 

Constructs a new HashMap with the same mappings as the specified Map. 

































Blazer - "Best-fit" heuristics 2/2 


{foo=bar,null} 


Method Summary 

void 

cloarf ) 

Removes ail mappings from this map. 

Object 

clone ( ) 

Returns a shallow copy of this HashMap instance: the keys and values themselves arc not cloned. 

boolean 

containsKey(Object key) 

Returns true if this map contains a mapping for the specified key. 

boolean 

containsValuc(Object value) 

Returns true if this map maps one or more keys to the specified value. 

Set 

cntrySott ) 

Returns a collection view of the mappings contained in this map. 

Object 

got ( Objec t key) 

Returns the value to which the specified key is mapped in this identity hash map, or null if the map contains no mapping for this key. 

boolean 

isEsnpty () 

Returns true if this map contains no key-value mappings. 

Set 

koySct ( ) 

Returns a set view of the keys contained in this map. 

i Object 

put(Object key. Object value) 

| 


foo 


bar 













































DEMO 3 



§§ Finding vulnerabilities with Blazer 

• Test case: SQL injection 


Coverage and Scalability 


§§ With unlimited time, you could get theoretically 
close to 99.9% coverage 

9§ In practice. Blazer and target setup are crucial 

• Optimize the number of permutations, depending on method's 
arguments complexity 

• Balance "good" and "bad" attack vectors 

§6 During big assessments, time matters! 

§§ Let's do some math: 

• Application with ~500 exposed operations 

• 45 attack vectors (Burp's default fuzzing list in Intruder) 

• 35 permutations (average for big apps, experimentally determined) 

• -500 x 45 x 35 = -787500 reqs 

• Let's assume a conservative -80 reqs/sec 

• It's -2.7 hours for a full run with a relatively small wordlist 



AMF Security Testing with Blazer 


8§ Authentication 

• Generate valid messages and verify that all operations 
require a valid session token 


§g Authorization and Access Control 

• Generate valid messages with different session tokens 

• Customize the data pools, generate objects with multiple 
permutations and look for DOR bugs 


§§ Error Handling, Input Validation 

• Perform fuzzing with your favorite wordlists and manually 
validate the results: 

• Sorting by response size 

• Filtering by search term with regex 

• Exporting responses and using your custom "grep" tool 


Conclusions 



96 During real-life assessment, the approach 
has been proven to increase coverage and 
effectiveness 

96 Blazer was designed to make AMF testing 
easy, and yet allows researchers to control 
fully the entire security testing process 

9§ From 0 to message generation and fuzzing 
in just few clicks 

96 Using Blazer's internal classes, it is possible 
to build and send AMF messages from your 
favorite scripting language 



Future improvements 



9§ Upcoming: 

• Allow import of source code and classes from entire 
directories 

• Sandbox com.mtso.blazer.ObjectGenerator to avoid 
dangerous methods execution while generating custom 
objects 


§g Wish-list: 

• Embed an utility for displaying complex AMF messages 

• Auto-selection of remote method signatures for requests 
already present in Burp History 

• Auto-save of recent Blazer's configurations 


That's all folks! 



8§ Questions? Critics? Suggestions? 

• Now! 

• By email: luca@matasano.com 

• By Twitter: @_ikki 


§§ Please complete the Speaker Feedback Surveys 
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